From 3bfaefcf0ba2b155fc6167307e910eb3ed982c30 Mon Sep 17 00:00:00 2001
From: Dennis Mo <staywithmo@163.com>
Date: Tue, 20 Jul 2021 12:27:43 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0acme=E6=96=87=E6=A1=A3?=
 =?UTF-8?q?=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 acme/README.md | 92 ++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 82 insertions(+), 10 deletions(-)

diff --git a/acme/README.md b/acme/README.md
index ad038ec..84031ea 100644
--- a/acme/README.md
+++ b/acme/README.md
@@ -52,27 +52,27 @@
 
    场景1：
 
-   mkdir -p /srv/certbot/conf/live/dev.woyue.org
+   `mkdir -p /srv/certbot/conf/live/dev.woyue.org`
 
-   acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
+   `acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
    --key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
    --fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
-   --reloadcmd "docker restart nginxdocker_nginx_1"
+   --reloadcmd "docker restart nginx_nginx_1"`
 
    场景2：
 
-   mkdir -p /srv/certbot/conf/live/nr.woyue.org
+   `mkdir -p /srv/certbot/conf/live/nr.woyue.org`
 
-   acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
+   `acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
    --key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
    --fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
-   --reloadcmd "docker restart nginx_server"
+   --reloadcmd "docker restart nginx_server"`
 
-   注意，最后的nginxdocker_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数，手动重启nginx**。
+   注意，最后的nginx_nginx_1或nginx_server为nginx容器的名称。请根据实际情况修改。**或不加此参数，手动重启nginx**。
 
 2. 生成：dhparams文件
 
-   openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048
+   `openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048`
 
 ## 使用证书
 
@@ -84,7 +84,7 @@ ssl_certificate /etc/letsencrypt/live/nr.woyue.org/fullchain.pem
 
 ## 应用实例
 
-centos2上的证书强制刷新：
+（1）centos2上的证书强制刷新：
 
 acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org
 
@@ -92,4 +92,76 @@ acme.sh --force --debug --issue --dns dns_ali -d nr.woyue.org -d *.nr.woyue.org
    acme.sh --installcert -d nr.woyue.org -d *.nr.woyue.org \
    --key-file /srv/certbot/conf/live/nr.woyue.org/privkey.pem \
    --fullchain-file /srv/certbot/conf/live/nr.woyue.org/fullchain.pem \
-   --reloadcmd "docker restart nginx_server"
\ No newline at end of file
+   --reloadcmd "docker restart nginx_server"
+
+（2）frps服务器上的acme更新与证书刷新
+
+记录时间：2021/7/20
+
+访问网址web.dev.woyue.org，发现证书过期。
+
+登录服务器，通过acme.sh --list查看，发现证书renew时间为将近两个月前，但Created的时间为将近4个月前。这说明renew没有成功。
+
+执行：
+
+`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
+
+中途报错：
+
+[Tue Jul 20 11:32:10 CST 2021] GET
+[Tue Jul 20 11:32:10 CST 2021] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT'
+[Tue Jul 20 11:32:10 CST 2021] timeout=
+[Tue Jul 20 11:32:10 CST 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
+[Tue Jul 20 11:32:11 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
+[Tue Jul 20 11:32:11 CST 2021] ret='35'
+
+按上述提示网址查询error code 35:
+
+**CURLE_SSL_CONNECT_ERROR (35)**
+
+A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.
+
+尝试直接访问对应网址：'https://cloudflare-dns.com/dns-query?name=_acme-challenge.dev.woyue.org&type=TXT'，无法访问。
+
+这是acme.sh内部制定的网址，因此考虑升级acme。
+
+执行
+
+`acme.sh --upgrade`
+
+期间出现提示：
+
+[Tue Jul 20 11:50:46 CST 2021] acme.sh is using ZeroSSL as default CA now.
+[Tue Jul 20 11:50:46 CST 2021] Please update your account with an email address first.
+[Tue Jul 20 11:50:46 CST 2021] acme.sh --register-account -m my@example.com
+[Tue Jul 20 11:50:46 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
+[Tue Jul 20 11:50:46 CST 2021] _on_issue_err
+
+根据提示，需要先注册邮箱：
+
+[root@ngork certbot]# `acme.sh --register-account -m damnedmoon@163.com`
+[Tue Jul 20 11:54:05 CST 2021] No EAB credentials found for ZeroSSL, let's get one
+[Tue Jul 20 11:54:07 CST 2021] Registering account: https://acme.zerossl.com/v2/DV90
+[Tue Jul 20 11:54:10 CST 2021] Registered
+[Tue Jul 20 11:54:10 CST 2021] ACCOUNT_THUMBPRINT='8Lcr_kW542VKNC3VCJwbFcuPEaFiunVnzJBxOKJAejM'
+
+再次执行
+
+`acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
+
+提示成功。执行
+
+`acme.sh --list`
+
+Main_Domain    KeyLength  SAN_Domains      CA           Created                       Renew
+dev.woyue.org  ""         *.dev.woyue.org  ZeroSSL.com  Tue Jul 20 03:55:38 UTC 2021  Sat Sep 18 03:55:38 UTC 2021
+
+可见，证书已经申请成功。
+
+接下来，重新安装证书并重启nginx docker容器：
+
+`acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
+--key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
+--fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
+--reloadcmd "docker restart nginx_nginx_1"`
+